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DETAILED ACTION 

1. This action is responsive to Applicant's amendment dated 1/17/2006, responding to the 
10/18/2005 Office action provided in the rejection of claims 1-11, 13-30, and 32-40, wherein 
claims 32, 33, and 37-40 have been amended. Claims 1-11, 13-30, and 32-40 remain pending in 
the application and have been fully considered by the examiner. 

Response to Arguments 

2. Applicant's arguments, see page 24 paragraph 3, filed 1/26/2006, with respect to the 
rejection(s) of claim(s) 1 and 17 under 35 U.S.C. § 103(a) have been fully considered and are 
persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, 
a new ground(s) of rejection is made in view of "Dominators, super blocks, and program 
coverage" by Agrawal. 

Notice of References Cited 

3. The primary reference used in prior Office Actions, "Coverability Analysis Using 
Symbolic Model Checking", was originally cited with respect to the publisher (IBM) because it 
did not carry an expressed designation of authorship. However, an additional search of prior art 
has revealed the proper authorship of the primary reference as being written by S. Ur and Y. 
Wolfsthal. A new document has been cited in the "Notice of References Cited" containing the 
proper authorship citation and original document formatting. Although the documents have 
different formatting, the text of the prior reference and the newly cited reference is exactly the 



Application/Control Number: 1 0/003,482 Page 3 

Art Unit: 2192 

same, and volume number, issue number, and publication date are identical. Therefore, the 
original citation is now considered in light of newly found authorship information. 

Claim Rejections - 35 USC §103 

4. The following is a quotation of 35 U.S.C 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

5. Claims 1-10, 13-28, 30, 32-36 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over prior art of record "Coverability Analysis Using Symbolic Model Checking" by Ur et al. 
(hereinafter "Ur") in view of the "Background of the Invention" section found on pages 1-13 of 
the originally filed specification (hereinafter "BOTI") in view of "Dominators, super blocks, and 
program coverage" by Agrawal (hereinafter "Agrawal"). 



In regard to claim 1, Ur discloses: 

A method for performing coverability analysis in software, See Ur page 1 
paragraph 3: 

Every coverage model has a corresponding coverability model. A coverability model is 
defined by creating, for every coverage event indicator in coverage model, a coverability 
event indicator which is binary function on the state-machine model. The coverability 
event indicator is true if there exists a test on the state-machine model for which the 
corresponding coverage event indicator is true. 

comprising: 
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formulating respective coverability tasks for the dominating blocks of the SUT; 

See Ur page 1 paragraph 4 lines 1-3: 

First, as described above, a coverage model is in fact composed of coverage event 
indicators, each of which is mappable to a corresponding coverability indicator. 

generating rules regarding behavior of the SUT corresponding respectively to the 

coverability tasks; See Ur page 1 paragraph 4 lines 3-8: 

The second observation is that a state-machine model can be instrumented with control 
variables and related transitions which, on one hand, retain the original model behavior as 
reflected on the original state variables, and, on the other hand, can be used for 
coverability analysis of the model. The analysis is carried out by formulating special 
rules on the instrumented model, and presenting these rules (with the instrumented 
model) to a Symbolic Model Checker. 

for each of the rules, running a symbolic model checker to test a behavioral 

model of the SUT, so as to produce respective results for the rules; See Ur page 1 

paragraph 4 lines 6-8 as cited above: 

The analysis is carried out by formulating special rules on the instrumented model, and 
presenting these rules (with the instrumented model) to a Symbolic Model Checker. 

and 

computing a coverability metric for the SUT responsive to the results and the 
coverability tasks. See Ur page 1 paragraph 1 : 

. . .it is shown how a number of coverability metrics, corresponding to some commonly- 
used coverage metrics (statement, multi-condition), can be implemented via Symbolic 
Model Checking (1). 
wherein computing the coverability metric comprises: 

evaluating an attained coverability responsive to the respective results produced 
by running the symbolic model checker; evaluating an unattained coverability responsive 
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to the respective results produced by running the symbolic model checker; See page 1 
paragraph 3: 

A coverability model is defined by creating, for every coverage event indicator in 
coverage model, a coverability event indicator which is binary function on the state- 
machine model The coverability event indicator is true if there exists a test on the state- 
machine model for which the corresponding coverage event indicator is true. 

And further on page 1 paragraph 4 lines 6-8 as cited above: 

The analysis is carried out by formulating special rules on the instrumented model, and 
presenting these rules (with the instrumented model) to a Symbolic Model Checker. 

These passages show that rules are presented to a symbolic model checker, and an 
indicator function returns true or false depending on the return value of the binary 
function. In other words, an evaluation is made by the symbolic model checker to 
determine whether coverability has been attained or if coverability is unattained. 

Ur does not expressly disclose performing a static analysis of software under test 
(SUT) so as to identify a plurality of dominating blocks in the SUT, comparison of 
attained coverability and coverability tasks, calculation based on the comparison, or 
analyzing the model based on unattained coverability. 

However, in an analogous environment, BOTI teaches: 
performing a static analysis of software under test (SUT) so as to identify a 
plurality of dominating blocks in the SUT (BOTI: page 1 1 line 1 1 - page 12 line6: 

As noted earlier, some optimizations in model checking borrow concepts from 
compiler theory. These concepts are known in the art, and include a basic block— a set of 
one or more statements within the same control-flow construct. Another useful, related 
concept is that of dominating blocks, including pre-dominating and post-dominating 
blocks. 

Also Fig. 4 and associated text on page 12 lines 17-29 teaches dominating blocks. 
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performing a comparison between the attained coverability and the coverability 
tasks; See BOTI page 3 lines 14-15: 

The oracle function performs a comparison step 34 between actual results of execution 24 
and expected results 32. . . 

calculating the coverability metric responsive to the comparison; See page 3 
lines 16-17: 

. . .and condition 36 determines the success or failure of the test. 
analyzing the behavioral model of the SUTwith respect to the unattained 

coverability. See page 3 lines 17-19: 

An outcome of failure generally indicates a defect in SUT 10, which requires developer 
attention in a debug step 38. 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to use BOTFs teaching of software test procedures with Ur's 
coverability tool. One of ordinary skill would have been motivated to analyze source 
code to identify dominating blocks in order to perform computational optimizations to 
reduce the amount of time spent analyzing a model. Further, one would be motivated to 
compute a relative success or failure of a test in order to determine whether further 
analysis is necessary. 

Further, while Ur discloses statement coverage based on rule generation (see page 
2 paragraph 1 lines 3-4) and the relationship of coverability event indicators with 
coverage event indicators (page 1 paragraph 3), Ur does not disclose the generation of 
rules in relation to control-flow structures. However, BOTI teaches these limitations as 
follows: generating a number of rules less than, by a factor in a range from two to ten, a 
number of basic blocks in the SUT, and wherein the number of rules is a function of a 
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control-flow structure of the SUT, BOTI teaches model checking optimizations using 
basic blocks, control flow and domination in terms of "subset cover" algorithms to reduce 
coverage state space (e.g. page 5 lines 10-19 and page 1 1 line 33 - page 13). BOTI 
teaches that basic blocks are made up of statements (page 12 lines 1-4). BOTI further 
describes the control-flow structure of Fig. 4 in relation to Table II and the subset cover 
problem on page 13. In this example, the subset cover problem is solved to produce a 
subset T: 

Solving the subset cover problem produces a subset T that covers all the basic blocks in 
SUT 10, i.e., if every basic block in subset T executes, all basic blocks in SUT must 
execute. By inspecting the preceding table, it is noted that (B, C) comprise such a 
subset, since, if Blocks B and C execute, Blocks A, D, and E must of necessity also 
execute. 

The number of basic blocks in the subset T is less than, by a factor of 2.5, the number of 
basic blocks in SUT 10. In the case of statement coverage (disclosed by Ur), a reduction 
in coverage state space using a subset cover algorithm inherently provides a reduction in 
a number of rules since only a subset of blocks needs to be analyzed. It would have been 
obvious to one of ordinary skill in the art at the time the invention was made to use 
BOTI's teaching of the subset cover problem with Ur's teaching of a statement 
coverage/coverability model. The statement coverage/coverability model contains an 
event indicator for every statement. The subset cover analysis found in BOTI shows that 
only a subset of basic blocks requires such event indicators. Thus, the number of rules 
would be a function of the control-flow structure. One of ordinary skill would have been 
motivated to reduce the work required of a model checker (BOTI page 5 lines 17-19). 

Ur discloses statement coverage by generating a rule for every statement (e.g. 
page 2 paragraph 1). BOTI teaches reduction in state space of basic block coverage 
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(page 13). Ur and BOTI do not expressly disclose that the teachings of basic block 
coverage can be used with statement coverage. However, Agrawal teaches that coverage 
of basic blocks implies coverage of statements (See footnote on page 25): 

It is same as the statement coverage problem as covering all basic blocks implies 
covering all statements, and vice versa. 
It would have been obvious to one of ordinary skill in the art at the time the invention 

was made to use Agrawal's teaching of basic block and statement coverage with BOTTs 

teaching of coverage optimizations with Ur's rule generation in order to reduce space and 

time overhead as suggested by Agrawal (page 25 column 2 paragraph 3). 

In regard to claim 2, the above rejection of claim 1 is incorporated. Ur does not 
expressly disclose: writing the SUT in a programming language adapted to define at least 
one of a group of elements comprising a software element and a hardware element. 
However, BOTI teaches on page 4 lines 25-29 of the originally filed specification of the 
incorporated reference "Symbolic Model Checking without BDDs" by Biere et al. 
(hereinafter "Biere"). Further review of Biere reveals the use of the "SMV language" in 
Section 6. This leads to the reference "Symbolic Model Checking" by McMillan 
(hereinafter "McMillan") which defines the SMV language in Chapter 3. Since the SMV 
language is implemented as a software programming language, it inherently provides for 
software elements. McMillan then goes on to use the software elements in terms of 
hardware in Chapter 4. As such, it also defines hardware elements. It would have been 
obvious to one of ordinary skill in the art at the time the invention was made to use 
BOTI's teaching of SMV with Ur's model checker. One of ordinary skill would have 
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been motivated to provide a symbolic description of the transition relation of a finite 
Kripke structure in order to provide a great deal of flexibility. 

In regard to claim 3, the above rejection of claim 1 is incorporated. Ur does not 
expressly disclose: wherein performing the static analysis of the SUT comprises: 
identifying a set of dominating blocks in the SUT; and solving a subset cover problem on 
the set of dominating blocks so as to identify the plurality of dominating blocks. 
However, BOTI teaches solving a subset cover problem on page 13 lines 3-11. It would 
have been obvious to one of ordinary skill in the art at the time the invention was made to 
use BOTFs teaching of a subset cover problem with Ur's model checker. One of 
ordinary skill would have been motivated to use an efficient algorithm that solves the 
subset cover problem in order to save execution time. 

In regard to claim 4, the above rejection of claim 3 is incorporated. Ur does not 
expressly disclose: wherein the set of dominating blocks comprises a set of all 
dominating blocks in the SUT, and wherein the plurality of dominating blocks comprises 
fewer blocks than the set of all dominating blocks in the SUT However, BOTI teaches a 
subset of dominating blocks on page 13 line 5. It would have been obvious to one of 
ordinary skill in the art at the time the invention was made to use BOTFs teaching of a 
subset of dominating blocks with Ur's model checker. One of ordinary skill would have 
been motivated to reduce the computation space in order to reduce execution time. 

In regard to claim 5, the above rejection of claim 4 is incorporated. Ur does not 
expressly disclose: wherein running the symbolic model checker comprises performing a 
number of executions of the symbolic model checker smaller than a total number of all 
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the dominating blocks in the SUT However, by the definition and example given in 
BOTI page 13 lines 17-21, the Greedy Algorithm "selects a block with the largest set of 
dominated blocks, constructs a list of covered blocks, and repeats until the list of covered 
blocks contains each block in the SUT." This results in a smaller number of "executions" 
than blocks. It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to use BOTI's teaching of the Greedy Algorithm with Ur's model 
checker. One of ordinary skill would have been motivated to reduce the computation 
space in order to reduce execution time. 

In regard to claim 6, the above rejection of claim 1 is incorporated. Ur further 
discloses: wherein formulating the respective coverability tasks for the dominating blocks 
of the SUT comprises formulating coverability tasks by at least one of a group of methods 
comprising manual formulation and automatic formulation. See Ur: "mappable to a 
corresponding coverability indicator." Mapping must be either manual or automatic, 
there are no there options. 

In regard to claim 7, the above rejection of claim 1 is incorporated. Ur further 
discloses: wherein generating the rules regarding behavior of the SUT comprises 
generating rules by at least one of a group of methods comprising manual generation and 
automatic generation. See Ur: "formulating special rules on the instrumented model. . .". 
Formulation must be either manual or automatic, there are no other options. 

In regard to claim 8, the above rejection of claim 1 is incorporated. Ur further 
discloses: wherein running the symbolic model checker to test the behavioral model of 
the SUT comprises: evaluating the respective results so as to determine the truth or 
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falsity of the rule; and generating a list of uncoverable elements responsive to the 
respective results. See Ur: "The coverability event indicator is true if there exists a test on 
the state-machine model for which the corresponding coverage event indicator is true. 

In regard to claim 9, the above rejection of claim 1 is incorporated. Ur further 
discloses: wherein generating the rules regarding behavior of the SUT corresponding 
respectively to the coverability tasks comprises instrumenting the SUT by adding one or 
more statements and one or more auxiliary variables thereto, so as to facilitate 
evaluation of the rules. Ur page 1 paragraph 4: "formulating special rules on the 
instrumented model"; also page 2 line 1 : "adding a counter after every statement and 
initializing it to zero." 

In regard to claim 10, the above rejection of claim 9 is incorporated. Ur further 
discloses: wherein instrumenting the SUT comprises: determining a plurality of basic 
blocks comprised in the SUT; and for each basic block: defining an auxiliary variable for 
the block; initializing the auxiliary variable to zero; and assigning the auxiliary variable 
a non-zero value upon execution of the basic block. Ur page 2 line 1 : "initializing it to 
zero. . . some of the counters are modified". 

In regard to claim 13, the above rejection of claim 1 is incorporated. Ur further 
discloses: analyzing a design of the SUT, responsive to the coverability metric, for at 
least one of a group of properties comprising dead code, unattainable states, uncoverable 
statements, uncoverable states, unattainable transitions, unattainable variable values, 
and unreachable conditions. Ur page 2 paragraph 1 : "... a warning on the existence of 
dead-code is created for every statement that cannot be reached." 
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In regard to claim 14, Ur does not expressly disclose applying a testing strategy 
chosen from one of a group of strategies comprising excluding uncoverable elements 
from coverage measurements, setting coverage goals responsive to the coverability 
metric, and determining a criterion for stopping testing responsive to the coverability 
metric. However, BOTI teaches at least setting coverage goals on page 2 lines 3-29. It 
would have been obvious to one of ordinary skill in the art at the time the invention was 
made to use BOTFs teaching of coverage goals with Ur's coverability tool. One of 
ordinary skill would have been motivated to set coverage goals in order to attain a well- 
defined level of success. 

In regard to claim 15, the above rejection of claim 14 is incorporated. Ur further 
discloses: wherein the uncoverable elements comprise one or more elements chosen from 
a group of elements comprising uncoverable statements, uncoverable states, unattainable 
transitions, unattainable variable values, and unreachable conditions. Ur page 1 : 
"statement, multi-condition... define-use, mutation, and loop"; also page 2: "a warning 
on the existence of dead-code is created for every statement that cannot be reached." 

In regard to claim 16, the above rejection of claim 1 is incorporated. Ur further 
discloses: wherein formulating the respective coverability tasks for the dominating blocks 
of the SUT comprises: identifying a coverage model for the SUT; defining a coverability 
model for the SUT responsive to the coverage model; and generating the respective 
coverability tasks responsive to the coverability model Ur page 1 : "a coverage model is 
in fact composed of coverage event indicators, each of which is mappable to a 
corresponding coverability indicator." 
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In regard to claim 17, Ur does not expressly disclose a second coverability task, 
an inflator, an inflated result, or evaluating a second coverability task responsive to the 
inflated result. However, BOTI teaches: 

running a symbolic model checker comprising an inflator to test a behavioral 
model of the SUT responsive to the rule so as to produce an inflated result; See BOTI 
page 6 lines 26-29: 

Symbolic model checker system 56 contains an optional inflator 64 which expands the 
scope of the model checker output, as described in more detail below, with reference to 
FIG. 3 

evaluating the second coverability task responsive to the inflated result. See BOTI 
page 7 lines 22-28: 

Inflator 64 provides a way to include additional variables in the trace in result 80, by 
generating plausible values for additional variables. Inflator 64 sets input variables to 
random values, and computes values for additional values based on the random input 
variables and the contents of the counter-example. 
All further limitations have been addressed in the above rejection of claim 1. 

It would have been obvious to one of ordinary skill in the art at the time the 

invention was made to use BOTI's teaching of using an inflator with Ur's model checker. 

One of ordinary skill would have been motivated to introduce additional random 

variables into a system to overcome the variable space reduction introduced by the cone 

of influence optimization. 
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In regard to claim 18, the above rejection of claim 17 is incorporated. Ur does not 
expressly disclose: wherein formulating the second coverability task comprises choosing 
a plurality of coverability tasks from a set of all coverability tasks for the SUT f and 
wherein evaluating the second coverability task comprises evaluating the plurality. 
However, BOTI teaches on page 7 lines 25-28 that an inflator computes values based on 
random input variables and the contents of the counter-example. This result is fed back 
and executed until all coverable tasks have been examined. It would have been obvious 
to one of ordinary skill in the art at the time the invention was made to use BOTI's 
teaching of an inflator with Ur's model checker. One of ordinary skill would have been 
motivated to exhaust the computation space until all possible tasks have been evaluated. 

In regard to claims 19, 21-28, 32-34, and 36, the above rejection of claim 17 is 
incorporated. All further limitations have been addressed in the above rejections of 
claims 3, 4, 5, 2, and 6-10, and 13-16, respectively. 

In regard to claim 20, the above rejection of claim 19 is incorporated. Ur does not 
expressly disclose: wherein selecting the first coverability task comprises: identifying a 
greatest-influence dominating block having a largest set of dominated blocks comprised 
in the plurality; and selecting the first coverability task responsive to the greatest- 
influence dominating block. However, BOTI teaches the "Greedy Algorithm" on page 13 
lines 17-21 for identifying optimal coverability tasks. It would have been obvious to one 
of ordinary skill in the art at the time the invention was made to use BOTFs teaching of 
the Greedy Algorithm with Ur's model checker. One of ordinary skill would have been 
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motivated to reduce the computation space of the model in order to reduce execution 
time. 

In regard to claim 30, the above rejection of 17 is incorporated. Ur does not 
expressly disclose: wherein running the symbolic model checker comprises producing the 
inflated result regardless of the truth or falsity of the rule. However, BOTI teaches 
inflation on page 7 lines 6-29, without regard to whether a rule is true or false. An 
inflator finds values outside of the cone of influence regardless of the value of any 
particular rule. 

In regard to claim 35, the above rejection of claim 35 is incorporated. Ur does not 
expressly disclose: performing a plurality of executions of an inflator program so as to 
produce a plurality of inflated results; and evaluating the second coverability task 
responsive to the plurality of inflated results. However, BOTI teaches on page 7 lines 
22-29 that an inflator is useful for obtaining a plurality of values outside the cone of 
influence. It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to use BOTFs teaching of inflators with Ur's model checker. One of 
ordinary skill would have been motivated to repeat the execution of an inflator in order to 
obtain additional results that lie outside the cone of influence. 

6. Claims 1 1 and 29 are rejected under 35 U.S.C. 103(a) as being unpatentable over the 
combination of Ur, BOTI, and Agrawal as applied to claims 1 above, and further in view of prior 
art of record U.S. Patent 5,579,515 to Hintz et al. (hereinafter "Hintz"). 
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In regard to claim 1 1, the above rejection of claim 9 is incorporated. The 
combination of Ur and BOTI do not expressly disclose: determining a plurality of basic 
blocks comprised in the SUT; defining a single auxiliary variable for the SUT; 
initializing the single auxiliary variable to zero; and assigning a unique non-zero value 
to the single auxiliary variable upon execution of each basic block However, in an 
analogous environment, Hintz teaches in column 3 lines 20-25 that a variable can be used 
to uniquely identify separate logical entities. It would have been obvious to one of 
ordinary skill in the art at the time the invention was made to use Hintz's teaching of 
unique non-zero entities in Ur's coverability tool. One of ordinary skill would have been 
motivated to uniquely identify an executed block in order to determine the coverage 
status of the block. 

In regard to claim 29, the above rejection of claim 27 is incorporated. All further 
limitations have been addressed in the above rejection of claim 11. 

7. Claims 37-40 are rejected under 35 U.S.C. 103(a) as being unpatentable over the 
combination of Ur, BOTI, and Agrawal and further in view of prior art of record U.S. Patent 
6,484,134 to Hoskote (hereinafter "Hoskote"). 

In regard to claims 37 and 38, Ur does not expressly disclose an apparatus. 
However, in an analogous environment, Hoskote teaches such an apparatus in Fig. 1 and 
column 3 lines 18-57. All further limitations have been addressed in the above rejection 
of claims 1 and 17, respectively. It would have been obvious to one of ordinary skill in 
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the art at the time the invention was made to use Hoskote's apparatus with Ur's method. 
One of ordinary skill would have been motivated to implement a method on an apparatus 
that can efficiently carry out the method. 

In regard to claims 39 and 40, Ur does not expressly disclose a computer software 
product. However, Hoskote teaches such a product in claim 3 lines 48-64. All further 
limitations have been addressed in the above rejection of claims 1 and 17, respectively. It 
would have been obvious to one of ordinary skill in the art at the time the invention was 
made to use Hoskote's software product with Ur's method. One of ordinary skill would 
have been motivated to store instructions for a method for easy distribution and archival. 

Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to J. Derek Rutten whose telephone number is (571) 272-3703. The 
examiner can normally be reached on T-Th 6:00-6:30, F 6:00-10:00. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Tuan Q. Dam can be reached on (571) 272-3695. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 
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